You can't visible, demonstrable evidence of compliance if you don't have policies, processes that underpin your policies, and tracking mechanims that track process results.

Measuring the Cost of Non-Compliance?

So how do we measure the risk, and thereby the cost of non compliance, especially with respect to an event that appears to be unlikely?

Risk=Probability x IMPACT

In the past the probability of something "BAD" happening as a result of HIPAA non-compliance was close to zero. Why? Because prior to the HITECH Act, HIPAA was an unenforced paper tiger. There was no fear or concern and none was warranted. All the "insiders" knew HHS' dirty little secret and acted accordingly. That all changed with HITECH. We now know that the impact of a major breach is HUGE! The impact may include:

Stiff fines from HHS

Multi million dollar notification costs

Lawsuits from State AGs

Class action suits

If you still believe that the impact is small then you have been asleep at the wheel, and it is likely that your organization will be the next to make news. No, most C-Suite executive now understand there may be a significant impact. However, they also likely believe that the probability part of the risk equation is small. The question is:

What is the probability of getting caught?

The answer is that it is becoming more probable every day. Here are some scenarios sure to get you caught in descending order of probability:

Your organization will experience a breach;

Your organization will have a patient complain & the nature of the complaint will show "willful neglect;"

Your organization will be randomly audited.

The probability of all three scenarios is growing. There are no PHI risk free environments. NONE. To most compliance professionals this is common sense and a recognition of the the business reality that they live in. There is simply no budget big enough and not enough hours in your organization's lifetime to eliminate all risk related to PHI, nor do the regulations call for that. The Security Rule calls for "reasonable and appropriate safeguards" (granted some of the safeguards are totally non-trivial to implement correctly).

Get the basics covered & then
focus on the BIG PAIN points that are likely to cause you the most liability.

So what? The so what is that the "best is the enemy of the good." Like some many things in competitive environments, it is the basic "blocking and tackling" that often gets over looked. Get the basics covered and then focus on those high pain point areas that are likely to cause you the most liability. Here are couple of interesting data points from PwC's recent survey:

Of the 11 million people affected by data breaches since September 2009,
55% were affected by data breaches involving business associates. Healthcare organizations have only grazed the surface when it comes to ensuring their business associates can be trusted with PHI. Only 38% perform pre-contract assessments of their business associates and just 26% conduct post-contract compliance assessments.

Of the electronic data breaches reported to OCR, 90% were a result of a lost computer or device, theft, or unauthorized access/disclosure.

Focusing on business associate and portable/mobile device risk might be a good place to get outstanding ROI on your compliance investment.

You Can't Manage What You Don't Measure

Our H2 Compliance Scorecard is a key component of our compliance governance methodology. It works hand-in-hand with our Checklists. It allows your organization to provide an "at-a-glance" status of your compliance initiative. Our Scorecard(s) are a mechanism for providing visible, demonstrable evidence of compliance initiative progress. They are useful for both internal and external reporting and to show, in fact, that you are indeed measuring the thing you are trying to manage.